Insights

GDPR – May 25th was just the beginning

The May 25th deadline for GDPR has come and gone and for most people the most tangible aspect was probably the flurry of emails they received in the run up to the deadline containing privacy notices from companies they had forgotten they had signed up with in the first place. Brief coverage of in the news over the go-live period highlighted that the majority of members of the public were unaware of what GDPR stood for or what it meant for them. This may well have been the first and last that they will hear about GDPR, and for companies, it may be tempting to think that the hard work is done and it is back to ‘business as usual’.

This typifies the confusion about what GDPR means in practice; the reality is that the practical ramifications of the new regulations are only likely to become apparent over time.

We can all read the GDPR regulations; the Information Commissioners Office have provided a number of straightforward guides to the regulations: click here to read them. However, once you get into the detail of the new rules they can have some pretty significant practical implications, and while companies have put in place procedures to reflect the rules, I suspect these are to a greater extent untested.

For example, amongst the many emails I received last week was one from a major company I have not had dealings with for a couple of years. So I wrote to them asking for them to delete my information save for what they need to keep for legal or equivalent purposes. One month later I am still waiting for their response!

The more clued-up companies, particularly those whose business models depend on our personal data, are clearly giving this area more thought. Still, based on personal experience it is not clear that they are making it easy for you and I to manage our data and in particular, to control access to it by third parties. For instance, if you go onto a certain social networking site, it is relatively straightforward to use ‘privacy settings’ in order to limit access to your personal data by individuals outside your circle of friends, but try finding similar settings for third-party companies! Indeed, a number of social networking sites have already received lawsuits relating to GDPR, in particular about the ‘all or nothing’ nature of the consent agreements.

For the average company the real practical implications of GDPR are only just starting to emerge. It is likely that the results of high profile lawsuits as well as judgments by the ICO will start to determine some of the de facto practices. Companies will almost certainly need to adjust their processes and procedures as these implications become clear. That said, there are particular areas that companies should already be thinking about:

Use of the data and consents

Cross border data transfer

Portability of data

Data security

Subject access requests

Erasure – ‘right to be forgotten’

Sensitive data

There is a danger that companies ‘tweak’ existing processes to ‘meet’ these requirements rather than thinking more fundamentally about the implications of each of these for their processes. Ultimately, time and the ICO will tell whether they are fit for purpose.

GD Financial Markets has extensive experience helping firms to get ready for GDPR. If you would like practical guidance including an assessment of your current processes, please contact financialmarkets@gordondadds.com.

Contact the Author

I am an advisor with GD Financial Markets, working alongside the partners to develop client offerings. I have extensive experience in financial service operations including technology implementations and regulatory processes, having run Global Operations for an investment bank and more recently as Head of Digital Operations for corporate and institutional businesses.
I also have extensive experience of Asia where I spent six years managing the regional Operations for a US investment bank.
I am a chartered engineer and a member of the Institute of Engineering and Technology.